Recently an attack on GSM (Global System for Mobile communications) phones has been reported, where it is possible to prevent a certain victim UE (user equipment) from receiving mobile terminating traffic such as calls or SMS (Short Message Service).
The attack involves modifying a phone's embedded software so that it can trick the network out of delivering incoming calls or SMS messages to the intended recipients. In theory, one phone could block service to all subscribers served by radio base stations within a radio network coverage area e.g. known as a location area.
The patched firmware of the modified phones can block mobile terminating traffic because it simply responds to paging requests much faster than a standard phone ever could. When the network sends out a page request, the modified UE responds immediately, leaving no chance for the victim's UE to respond.
The paper, “Exploiting Broadcast Information in Cellular Networks” written by Nico Golde, Kévin Redon, and Jean-Pierre Seifert of Technische Universität Berlin and Deutsche Telekom Innovation Laboratories (retrievable under www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_golde.pdf) presented at a recent Security Conference provides more details about the possible attack.
The paging attack is possible due to a race condition when a UE responds to a paging request on the paging channel. The paging request initiated by the MSC (Mobile Switching Center) is broadcast in the location area where the terminal is located, so it is received by every UE in that location area. If a fraudulent terminal with modified implementation of the GSM protocol stack answers the paging request faster than the paged subscriber's UE, then the terminating transaction will be delivered to the fraudulent terminal instead. The delivery of the terminating transaction to the fraudulent terminal will eventually fail, if authentication or ciphering is used for this terminating transaction. However, still this prevents the intended subscriber to receive the terminating transaction.
The attack is possible due the time gap between paging request and the paging response and the authentication of the UE that has answered the paging.
This paper presented at a recent Security Conference suggests two countermeasures against this Denial-of-Service attack:
Firstly, to authenticate the UE before delivering mobile terminating traffic services. However, this implies that every mobile terminating call and mobile terminating SMS need to be authenticated by the MSC, which introduces a high load on MSC nodes, HLR (Home Location Register) and AuC (Authentication Center), which is not done today. Every authentication consumes one fresh authentication vector per mobile terminating call and per mobile terminating SMS. So this is hardly feasible in practice.
Secondly, the use of authenticated paging is proposed: this requires a change to the standards, and also corresponding changes in all MSC nodes and in all UEs. So this countermeasure cannot be applied for legacy UEs, leaving also this approach being hardly feasible in practice.
Since also UEs of fire brigade, police, or security squads are vulnerable for this Denial-of-Service attack, there is a clear need for an improved paging procedure with enhanced security, which can seamlessly be deployed into existing networks.